Login

Country

Language

Cart

Your cart is empty

Privacy policy

GAIN ELITE INTERNATIONAL LIMITED (railia)

Last Updated: July 23, 2025

Effective Date: July 23, 2025

GDPR Preliminary Disclosure & Controller Identity

GAIN ELITE INTERNATIONAL LIMITED acts as the Data Controller under Regulation (EU) 2016/679 (GDPR) for all personal data of users located within the European Economic Area (EEA). We adhere strictly to the seven core GDPR data protection principles:

Lawfulness, fairness and transparency

Purpose limitation

Data minimisation

Accuracy of personal data

Storage limitation

Integrity, confidentiality and security

Accountability

Full Controller Details:

Legal Entity: GAIN ELITE INTERNATIONAL LIMITED

Registered Address: ROOM 605, 6/F, FA YUEN COMMERCIAL BUILDING,75-77 FA YUEN STREET, MONGKOK, KOWLOON, HONGKONG

GDPR Data Protection Officer (DPO) Contact: service@railia.com (mark email subject: GDPR DPO Enquiry)

EU Representative (Appointed per GDPR Article 27)

Legal Entity Name: RAILIA EUROPE, S.L.

Spanish Tax ID (CIF): B88778675

Full Physical Address (Spain): CL. ISABEL COLOBRAND, 10 4 Pta. 94 - 28050, Madrid, España

Contact Email: samuel.han@railia.com | Local Spain Phone: 0034 6473 69080

Mandate Effective Date: 2026-05-21

Role: Official designated representative for all EEA data subjects and European Supervisory Authorities communications

Note: B88778675 is a provisional Spanish NIF issued by AEAT; we will update this policy promptly once the definitive permanent tax ID is issued.

Historical versions of this privacy policy are archived and available to EEA users upon free written request to our DPO email or our EU Representative contact channels.

GAIN ELITE INTERNATIONAL LIMITED (hereinafter referred to as "we" or "railia") understands the importance of your personal information and is committed to safeguarding its security and reliability. We are dedicated to maintaining your trust and adhere to the principles of accountability, purpose specification, consent, data minimization, security assurance, user participation and transparency. Additionally, we promise to implement industry-standard security measures to protect your personal information.
By using the services provided through railia’s terminal applications (including but not limited to the "railia APP," hereinafter referred to as "APP" or "railia," collectively referred to as "Applications") or by engaging in any non-public interactions with railia (such as using "online customer service" services) (collectively referred to as "Products and Services"), you should understand how we collect, use, and share your personal information and what rights you have under this Privacy Policy ("Policy").
If any specific product or service we provide has a separate privacy policy or specific provisions in its user agreement, that product's privacy policy will take precedence. Any matters not covered by that product's privacy policy or user agreement will be governed by this Policy. Due to differences in your application version, geographical location and product model, the scope, methods and purposes of our personal information processing may vary. Please refer to the separate privacy policies for more detailed information.
Before using our products or services, please read and understand this Privacy Policy carefully. Only after fully understanding and agreeing to the terms should you proceed to use them. Unless otherwise stated, disagreement with this Privacy Policy or its updates (which we will notify you of in a timely manner) may affect your ability to use or continue using our products/services normally.
If you have any questions, comments, or suggestions regarding this Policy, you may contact us using the contact information provided in the Privacy Policy.
You understand and agree that once you click to accept this Policy during the railia account registration process and complete your railia account registration, or once you use any of our products or services, you agree to our collection, use, storage, and sharing of your relevant information in accordance with this Privacy Policy. Consent for marketing, AI personalised analysis and non-essential tracking is collected via separate opt-in checkboxes and is not bundled with core account registration consent per GDPR rules.
For more detailed information, please refer to the following sections:
  1. How we collect and use your personal information
  2. How we share, transfer, and disclose personal information
  3. How we use cookies and similar technologies
  4. How we use SDKs
  5. Your rights
  6. Cross-border transfer of personal information
  7. How we protect personal information
  8. Retention period of your personal information
  9. Privacy Policy for minors
  10. Policy changes
  11. Contact information
    Annex 1: List of Device Permissions
    Annex 2: Third-Party SDK & GDPR Processor Disclosure

1. How We Collect and Use Your Personal Information

1.1 Registration and Login

APP Login Account Information: Before using the APP, you need to register and log in to your account. To create an account, we require your username, password, phone number, and email address (for password recovery). This information helps us verify your identity and is used to activate, manage, and provide services through railia.
If you choose to log in with a third-party application (such as WeChat, Apple ID, etc.), we will also collect relevant information from those third-party applications. This information will be used to verify your identity, match and combine the activities you perform with your railia account, send you notifications about major changes and updates to service functions, communicate with you, and handle any inquiries or issues you may have.
You can modify and supplement your account information, such as your nickname, gender, and profile picture, in the "My" section under "Personal Information" in the APP. This information, referred to as your "account information," helps us provide you with a better user experience. However, if you choose not to provide this supplementary information, it will not affect your ability to use the basic functions of the APP.
We will assign a unique railia ID to your account, which is composed of a random string. This ID cannot be used alone to query your real identity.
When you log in, reset your password, or change the bound mobile phone number, we will access your mobile clipboard to read SMS verification codes related to railia, so as to bring you a more convenient operating experience.
If you are a minor, your guardian shall submit identity documents and guardianship certification via email (service@railia.com) before you can use our services. The personal information of minors will be stored per GDPR and local legal requirements, and the guardian may request deletion at any time.

1.2 Smart Device Network Connection

To provide you with railia’s services and enable you to securely connect and manage smart devices, we may collect information such as your Wi-Fi details, IP address, phone-related information, smart device details, location information, login account information, and the association between your railia account and smart devices. This information will be used to facilitate features such as quick connection, device discovery, and device management. Below is a detailed list of the information we may collect: (1) Login Account Information: Account, password. (2) Phone-Related Information: Hardware device identifiers (IMSI, IMEI, MEID, device hardware serial number, SIM card identifier, OAID, MAC address, Android ID), phone model, system version, system language, country or region set on the phone, version number of the app store, phone screen size and resolution, CPU and display device-related information. (3) Information Collected During Smart Device Connection: Depending on the type of smart device you need to connect, we may collect the following information: a) For smart devices connected via Wi-Fi: Wi-Fi information (SSID, BSSID, Wi-Fi MAC address, Wi-Fi password), device MAC address, device ID. b) For smart devices connected via Bluetooth and then linked to Wi-Fi: Wi-Fi information (SSID, BSSID, Wi-Fi MAC address, Wi-Fi password), device MAC address, device Bluetooth MAC address. c) For smart devices connected via Bluetooth: Device Bluetooth MAC address, device ID. d) For smart devices connected via Zigbee: Device MAC address, device ID. e) Legal purpose for collecting Wi-Fi and device serial number information: Wi-Fi information is required for device network configuration. f) Legal purpose for collecting device serial number: The serial number is used for device identification during network configuration. g) We will pop up a prompt to ask for your permission before obtaining your precise location information.
To prevent malicious programs and ensure operational quality and efficiency, we will collect information about the railia application you installed (including version, language, source), process data, overall operation status, usage frequency, application crash logs, performance data, system information, network information, hardware information, storage information and service data.

1.3 Device Sharing

We support the ability for you to share smart devices with others via your railia account, allowing the person you share the device with to also control it. To provide this feature, we may collect your account ID, the account ID you provide for sharing, and the information related to the shared device (device ID, device name, device validation key, and the sharing status of the device). This information is used to allow you to share devices with other railia account users and enable joint control and usage of the device, as well as display the sharing status on the device list page.

1.4 Application and Smart Hardware Upgrades

To ensure that you continue to enjoy the latest railia services, we may use your railia app version information and phone model to provide you with app upgrade services. Additionally, we may collect the list of smart devices you have connected and their version numbers to offer upgrade functionality, ensuring that you can use the latest version of the services (including firmware versions).

1.5 Providing Content Support (e.g., Articles)

To help you better use your smart devices, we provide you with selected articles related to the devices. When reading these articles, we do not collect any of your information.

1.6 Purchasing and Delivery of Products and Services

When you purchase or claim products or services through the APP, you will need to provide your recipient’s name (or nickname), recipient’s phone number, and delivery address. When you make a payment, we will collect your payment reference number and payment amount. If you require an invoice, you will need to provide the invoice recipient's name or company information, including full company name, unified social credit code, company address, company phone number and corporate bank account details. If you need after-sales service, you will need to provide transaction details, including product name, price, quantity, order number, and logistics tracking number. You can view all your order information in the “My Orders” section and track your order refund or after-sales progress in the “Refund/After-sales” section.

1.7 Interaction and Customer Support Services

(1) Customer Support Services: We provide customer support through the “Contact Us” page in the “My” section of the APP. During your use of customer support services, we may collect communication content between you and us, the requests and feedback you provide, your name, email address, and other contact details, and any other information you provide. For example, if you reach out to our customer service for product after-sales inquiries, we may collect information such as the product model, SN code, images or videos of the product you have purchased, your name and contact information, and your feedback. This data will help us resolve your issues or provide updates on the progress and outcome of the service.
(2) User Research Activities: We may display or invite you to participate in research activities within the APP. For this, we may send notifications, which you can opt out of by adjusting your notification preferences. If you choose to participate, depending on the specific activity, we may collect questionnaire responses, your contact information, and other details to help us publish results, contact you, or send gifts. If you refuse to provide such information, it may prevent you from participating in the activity or receiving the gifts we offer.
(3) Internal Data Analysis and Research for Product and Service Improvement: We collect operation logs of your usage of the APP (including data related to APP-device connection), data presented to you through the product's detection features, and any issues or feedback you provide through customer support. This data is used for internal analysis and research to improve and upgrade the performance of our products or services, and to develop new products. We will provide algorithm-based personalized recommendations according to your skin analysis results via an automated decision-making system.
Automated Individual Decision-Making (GDPR Article 22 – Rai-SKIN AI System)
Our Rai-SKIN AI engine delivers fully automated skin assessment and custom light therapy protocols, which constitutes automated decision-making that creates material impacts on your skincare routine:

1) Decision logic: The AI cross-references your 8 captured skin metrics (moisture, sebum, pigment, collagen, inflammation, pores, hemoglobin, texture) against a database of over 500,000 anonymised skin profiles to auto-set wavelength mix, session duration and light intensity. Skin health metrics qualify as special category sensitive personal data under GDPR Article 9, processed only with your separate explicit opt-in consent.

2) Your statutory GDPR rights for automated decisions:

    • You may fully opt out of AI personalised protocols at any time to switch to fixed manual treatment modes;
    • You may submit a request via our DPO email to receive a full human manual review of your AI-generated treatment plan;
    • You may challenge or dispute any automated AI output without penalty.

3) Safeguard rule: Automated AI results will never be used as the sole basis for account suspension, refund refusal or contractual penalties; all high-impact actions require secondary human staff verification. You may disable this personalized recommendation function in App Settings at any time, or contact us to request manual intervention.

(4) Marketing Messages and Promotions: We may provide or promote marketing messages about our products and services (and those of our affiliates) within the app’s pages and pop-up ads (which can be closed with a single click). We may also send or display relevant messages to your account within the app. Additionally, we may send marketing messages to your phone number or email. These marketing messages do not affect the normal functionality of railia products or services. Marketing consent is collected via separate unticked opt-in checkboxes at registration; If you do not wish to receive marketing emails, please click the "Unsubscribe" link in the email. To unsubscribe from SMS marketing messages, follow the instructions in the text. You may turn off in-app marketing notifications via My - Settings - Notification Settings - Activity Notifications.
(5) Posting Reviews: When you post a review within the application, we will collect your railia account, profile picture, and nickname.

1.8 Additional Services Based on System Permissions

When you use the APP, certain system permissions may need to be authorized to provide you with the services you select or ensure the quality and experience of those services. If you do not agree to grant the application access to these system permissions, it will not affect your ability to use the basic features of our services (except for necessary system permissions required by those features). However, you may not be able to enjoy the enhanced user experience provided by additional services. You can review and manage these permissions in your mobile device settings, enabling or disabling them as you choose. If you disable certain permissions, we will no longer collect and use related personal information based on those permissions, unless we obtain your consent again. Disabling permissions will not affect the collection and use of information based on your previous consent.
If you provide personal information of other users, you must obtain legitimate authorization in advance. If the information involves minors, you shall obtain consent from the minor’s guardian before submission. The guardian has the right to contact us via the contact methods stated in this Policy to request correction or deletion of the minor’s personal information.
We may collect, use, or process your personal information without your explicit consent in the following situations, and we may not respond to your requests for correction, deletion, cancellation, or withdrawal of consent: (1) Necessary for concluding or performing a contract with you; (2) Necessary for performing legal duties and obligations; (3) Necessary for responding to public health emergencies or protecting personal life, health and property in emergency situations; (4) Processing personal information for news reporting and public opinion supervision within a reasonable scope for public interests; (5) Processing personal information that you have publicly disclosed or legally disclosed by others in accordance with laws; (6) Necessary to ensure the safe and stable operation of our products and services, such as troubleshooting; (7) Other circumstances stipulated by laws and administrative regulations.
We may process personal information through technical means to de-identify data, so that the recipients cannot re-identify specific individuals. We may use de-identified data for research, statistical analysis, trend prediction, content optimization, business decision support, product improvement and machine learning training. The use of such de-identified data does not require separate notice or consent from you.

1.9 Lawful Bases for Processing (GDPR Article 6 & Article 9)

We rely on distinct lawful bases for each category of data processing. For special category sensitive personal data (GDPR Art.9) — including your skin health metrics, inflammation levels, acne conditions, pigmentation and collagen status collected for Rai-SKIN AI analysis — we only process this data based on your separate, explicit, freely-given opt-in consent. No sensitive health data will be processed without your specific ticked consent.

1) Consent (GDPR Art.6(1)(a) / Art.9(2)(a)) Applies to: Marketing emails/SMS, personalised Rai-SKIN AI skin analysis, non-essential location tracking, non-necessary analytics & advertising cookies. Consent is fully voluntary; withdrawal has no negative impact on core account and product functionality.

2) Performance of Contract (GDPR Art.6(1)(b)) Applies to: Account registration, order fulfilment, delivery, device connection, warranty & after-sales support. Processing is mandatory to perform our sales/service contract; refusal means we cannot deliver core services.

3) Legal Obligation (GDPR Art.6(1)(c)) Applies to: Tax accounting records, anti-fraud compliance, official regulatory disclosure requests, statutory record retention.

4) Legitimate Interest (GDPR Art.6(1)(f)) Applies to: App crash analytics, security monitoring, anti-malicious access, internal product improvement, device stability testing. We have completed a formal Legitimate Interest Assessment (LIA). You hold an unconditional right to object to this processing at any time.

5) Vital Interests & Public Interest Exception Only activated for life-or-health emergency scenarios or legally defined public interest reporting, no routine business use.

2. How We Share, Transfer, and Disclose Personal Information

2.1 Entrusted Processing (GDPR Article 28 Data Processors)

To provide certain services or functionalities, we may entrust authorized third-party service providers to process your personal information. For example, we may entrust service providers to assist in providing on-site repair or other customer support services. Please rest assured that we will only entrust the processing of your personal information for the lawful, legitimate, necessary, specific, and explicit purposes outlined in this Privacy Policy. We execute binding GDPR-compliant Data Processing Agreements (DPAs) with all entrusted processors, which prevent them from using your personal information for any purposes beyond the scope of the entrusted processing. If the entrusted third party uses your personal information beyond the entrusted scope, they shall obtain your separate consent again.

2.2 Sharing

We do not share your personal information with any third-party organizations, individuals, or entities outside of railia and its affiliates, except in the following cases: (1) Necessary for Providing Services or Features: In some cases, we must share your personal information with third-party service providers to provide the services or features you request or to fulfil our obligations as a contracting party with you. If we share your sensitive personal information, or the third-party service provider changes the purpose or method of processing your personal information, we will obtain your separate consent again. (2) Third-Party Links and Websites: Our application may contain links to third-party websites. If you use third-party services, please be aware that these websites have their own privacy policies, and we are not responsible for those policies. Please review the privacy policies of these websites before submitting any personal information. (3) With Your Explicit Consent: If we obtain your explicit consent, we may share your personal information with third parties acting as independent data controllers.

2.3 Transfer

We do not transfer your personal information to any third-party organizations, individuals, or entities acting as independent controllers, except in the following cases: (1) With Your Explicit Consent: If we obtain your explicit consent, we may transfer your personal information to third parties. (2) Transfer Due to Change of Control: In the event of a sale, acquisition, merger, reorganization, or other changes in control, personal information may be transferred to a third party. If we sell, merge, or transfer any part of our business, the sale may include your personal information. In such cases, we will notify you of the third party’s name/contact information, and we will ensure that the third party continues to be bound by this Privacy Policy. If the transferee changes the original purpose or method of processing your personal information, we will require them to obtain your separate consent again.

2.4 Disclosure

We will disclose your personal information only under the following circumstances: (1) With Your Explicit Consent: If we obtain your explicit consent, we may disclose your personal information to third parties. (2) Required by Law: We may disclose your personal information in response to legal requests from government authorities (including law enforcement), or to comply with legal obligations. We may also disclose your personal information to enforce or apply our terms and agreements or to protect our rights, property, and safety, or the rights, property, and safety of others. This may also include sharing personal information to prevent fraud by exchanging it with other companies and organizations.

2.5 Exceptions for Sharing, Transfer, or Disclosure Without Prior Consent

The following circumstances do not require us to obtain your prior consent before sharing, transferring, or disclosing your personal information: (1) Necessary for concluding or performing a contract with you; (2) Necessary for performing legal duties and obligations; (3) Necessary for responding to public health emergencies or protecting personal life, health and property in emergency situations; (4) Processing personal information for news reporting and public opinion supervision within a reasonable scope for public interests; (5) Processing personal information that you have publicly disclosed or legally disclosed by others in accordance with laws; (6) Necessary to ensure the safe and stable operation of our products and services, such as troubleshooting; (7) Other circumstances stipulated by laws and administrative regulations.
Please note, if we process personal information using technical measures and other necessary methods to de-identify data, the sharing, transfer, or disclosure of such processed data does not require separate notification or consent from you.

3. How We Use Cookies and Similar Technologies

3.1 Cookies

To ensure the proper functioning of our products and services, we may place small data files called Cookies on your computer, mobile device, or other devices. The app contains embedded H5 pages. A Cookie is a small data file saved by websites or mobile applications on your device when you visit them. It allows websites to remember your actions and preferences (such as login names, shopping carts, or other preferences) for a period of time, so you don't have to re-enter them when you return to the site or move from one page to another. We do not use Cookies for any purposes other than those described in this policy. If your browser or browser extensions allow it, you can modify the level of acceptance or reject our Cookies.

3.2 Similar Technologies to Cookies

In addition to Cookies, we may also use other similar technologies, such as web beacons, pixel tags, etc., on webpages (with embedded H5 pages in the app). For example, the emails we send you may contain clickable URLs linking to content on our website. If you click on that link, we may track the click to help us understand your product or service preferences and improve customer service. A web beacon is usually a transparent image embedded in a website or email. By using pixel tags in emails, we can track whether an email has been opened. If you do not wish to have your activities tracked in this way, you can unsubscribe from our mailing list at any time.

3.3 First Use of APP Cookie Consent Layer

When you first launch the APP or visit our Shopify web store, a granular consent pop-up will appear with four independent toggle categories (no pre-ticked consent boxes, GDPR mandatory):

1) Strictly Necessary Cookies: Cannot be disabled; lawful basis = contract performance (login, cart, device session).

2) Analytics Cookies: Lawful basis = your explicit opt-in consent.

3) Personalisation Cookies: Lawful basis = your explicit opt-in consent.

4) Marketing/Advertising Cookies: Lawful basis = your explicit opt-in consent. Rejecting non-necessary cookie categories will never break core APP or checkout functionality. You may revisit and adjust cookie preferences anytime via App > My > Settings > Privacy & Cookie Settings or Shopify website footer Cookie Settings.

3.4 GDPR Cookie Transparency Addendum

All non-necessary tracking cookies expire within a maximum of 12 months. A full list of third-party tracking partners, their data collection scope, storage location and processing purposes is published permanently within Annex 2 (SDK & Third-Party Processor List). We will never share cookie tracking identifiers with unaffiliated advertisers without your separate explicit consent.

4. How We Use SDKs

To provide and optimize our services, our application may integrate third-party SDKs. These third-party SDKs act as Data Processors under GDPR Article 28. We execute legally binding GDPR-compliant Data Processing Agreements (DPAs) with every SDK vendor before integration, which enforce the following mandatory processor obligations:

1) Process personal data solely following our written instructions;

2) Deploy security protection equivalent to GDPR standards;

3) No sub-processing (hiring further subcontractors) unless we provide prior written approval, and sub-processors also sign identical protective DPAs;

4) Fully assist us to fulfil EEA user data subject rights requests, GDPR breach notification duties and compliance audits;

5) Permanently delete or return all personal data once our service partnership terminates.

These third-party SDKs, in cooperation with us, may collect and use your personal information according to their own privacy policies. You agree that we and the third parties can use the collected information for other services and purposes, provided it complies with relevant laws and regulations. We will take necessary measures to control the collection and use of your personal information by these third-party SDKs and ensure, through contracts and other means, that your personal information is protected at a level no less than what is stated in this policy. For more details about the identity of third-party SDKs and their data collection purposes, please refer to Annex 2 of this policy.

5. Your Rights

5.1 Access, Correction, and Supplementing Your Information

You have the right to query, correct, or supplement your information. You can do so through the following methods: (1) Log in to the APP and go to "My" to query, correct, or supplement personal data. (2) Log in to the APP, select "My" > "Contact Us," and the customer service will assist you in querying, correcting, or supplementing your information.
GDPR Art.15 Full Access Right
Upon your verified request, we will supply a free full copy of all personal data we hold about you in a structured, machine-readable format, alongside a complete breakdown of: all processing purposes, lawful bases, third-party data recipients, cross-border transfer safeguards, exact retention timelines, and automated decision logic details. A reasonable fee will only apply for excessive repeated duplicate requests.

5.2 Deleting Your Personal Information (GDPR Art.17 Right to be Forgotten)

You may request the deletion of your personal information in the following situations: (1) If we collect or use personal information in violation of laws and regulations; (2) If our processing of personal information violates the agreement with you; (3) If you no longer use our products or services, or you cancel your account; (4) If we no longer provide products or services to you; (5) If you withdraw your consent after granting us the right to collect and use your personal information. GDPR extended deletion triggers: You may also demand full erasure where you lodge a successful objection to legitimate-interest processing, or where your sensitive health data processing is no longer justified. After valid deletion request approval, we erase all retrievable user data within 30 calendar days; only minimal legally required archive records will be retained.
You can delete the device data stored on railia by revoking the device authorization. You can go to "Device Settings" > "Delete Device" in the APP, and after clicking the "Delete Device" button, a confirmation pop-up will appear. Upon confirming, we will clear the device-related server data, unbind all primary and secondary user associations, as well as any third-party devices (such as third-party smart speakers) bound to the device. Please note that this deletion is irreversible, so proceed carefully. Revoking device authorization will not erase data stored locally on the device. To clear local data, please follow the user manual and reset the device via the physical RESET button on the device.

5.3 Account Cancellation

You can cancel your railia account by logging in to the APP, going to "My" > "Settings" > "Account and Security" > "Cancel Account." After account cancellation, we will stop providing products or services to you and, upon your request, delete your personal information, unless otherwise required by law.

5.4 Change the Scope of Your Authorized Consent

Each business function requires some basic personal information for completion. For any additional collection of personal information, you can give or withdraw your consent at any time. You can withdraw or modify authorization by adjusting permissions in your mobile device settings such as location, camera and microphone. Withdrawing consent will not affect the validity of previous personal information processing activities based on your authorization.

5.5 Request an Explanation of This Privacy Policy

You have the right to request an explanation of this privacy policy at any time. Please contact us according to the information in the "Contact Us" section below.

5.6 New GDPR Statutory Rights (Full Missing Set)

5.6.1 Right to Restrict Processing (GDPR Art.18)
You may demand we pause all active processing of your personal data if:

1) You contest the accuracy of your stored data (we pause processing during verification);

2) Our processing activity is unlawful and you refuse full deletion;

3) We no longer need the data for our business purposes, but you require it for legal claim defence;

4) You have submitted an objection to legitimate-interest processing pending our balance assessment. During restriction periods, we may only securely store your data and undertake no other processing actions unless you grant new consent or legal obligations apply.

5.6.2 Right to Data Portability (GDPR Art.20)
For data you provided to us under consent or contract lawful bases, you may request we export your full personal dataset in standard CSV/JSON machine-readable format, to transmit directly to another data controller where technically feasible. Portability requests are processed free for standard volume.
5.6.3 Right to Object (GDPR Art.21)

1) Marketing communications: Unconditional immediate opt-out, no justification needed via email unsubscribe, SMS STOP, or APP notification toggles.

2) Legitimate-interest processing (analytics, security, product improvement): You may object at any time. We must cease this processing unless we prove compelling overriding legitimate business grounds that outweigh your fundamental privacy rights.

5.6.4 Right to Lodge Independent Regulatory Complaint (GDPR Art.77)
You hold an unrestricted right to submit a formal data protection complaint directly to your local national European Data Protection Authority (DPA) at any stage — you are not required to raise the issue with us internally first before contacting regulators.

5.7 Responding to Your Requests

For security reasons, you may need to submit a written request or verify your identity in another way. We may ask you to verify your identity before processing your request. GDPR mandatory response timeline: We will acknowledge your request within 72 hours and deliver a full substantive response within one calendar month of verified receipt. For highly complex multi-part requests, we may extend the deadline by up to two additional months, provided we notify you of the extension reason within the original one-month window. We may reject unreasonable requests, including requests for irrelevant information, repeated excessive requests, requests requiring disproportionate technical workload or requests that may infringe other users' legitimate rights and interests. We do not charge fees for reasonable standard requests. However, we may charge reasonable service fees for excessive and repeated duplicate requests.

6. Cross-border Transfer of Personal Information (GDPR Art.44 – Art.50)

6.1 Storage split rule: Data collected from users inside Mainland China is stored in Mainland China servers; data from global overseas users (including EEA) is hosted on secure Hong Kong cloud infrastructure. The European Commission has not issued an adequacy decision for Hong Kong SAR, so standard unrestricted cross-border transfers to Hong Kong are not permitted for EEA resident data.

6.2 Approved transfer mechanism for EEA user data: For all personal data belonging to EEA residents transferred from EEA territory to our Hong Kong controller or Mainland China processors, we implement the European Commission 2021 Standard Contractual Clauses (SCCs) — the official validated GDPR cross-border legal instrument. A full copy of our executed SCC agreement is available to you free of charge via written request to our DPO email.

6.3 Supplementary risk mitigation safeguards for cross-border flows:

  • End-to-end TLS 1.3 encryption for all data in transit; AES-256 encryption for data at rest in Hong Kong/Mainland storage;
  • All overseas processors sign binding GDPR data protection addendums limiting access, banning unapproved sub-processing, and imposing a 72-hour cross-border data breach notification duty to both us and relevant EU authorities;
  • We conduct annual cross-border data protection risk audits for all third-party overseas storage partners.

6.4 Limited exception transfers without SCC execution: We may transfer EEA user data without SCCs only in narrow legally permitted scenarios:

  • Mandatory formal court/government regulatory legal demand;
  • Verified vital life or health emergency protection;
  • Your explicit written, fully risk-disclosed consent to the cross-border transfer after we outline potential protection gaps in non-adequacy jurisdictions.

6.5 We will never transfer EEA personal data to unvetted third high-risk non-EU countries with no valid GDPR transfer safeguards in place.

7. How We Protect Personal Information

We strive to protect the security of your personal information to prevent unauthorized access, disclosure, alteration, loss, misuse, or unauthorized use. When you input, submit, or access your personal information, we implement various security measures to maintain its safety. For instance, where applicable, we will use encryption to transmit and store your personal information. We also apply the principle of least privilege for staff members who may access your data, with strict controls over access processes and approval mechanisms. Furthermore, we use access controls and confidentiality agreements to further restrict access to your personal information.
Please understand that due to technological limitations and potential malicious actions, there may be situations where personal information security incidents occur outside of our control.
GDPR Article 33 Breach Notification Obligations
If we discover a personal data breach that poses a risk to EEA users’ rights and freedoms:

1) We will notify the competent EU supervisory authority within 72 hours of detecting the breach;

2) If the breach creates high risk to your personal rights, we will send an individual direct notification to you detailing incident facts, risks, remedial actions, and risk-mitigation guidance;

3) Where mass individual notification is impracticable, we publish a clear public breach announcement via our APP and Shopify website. We will fully document all breach investigation, response and remediation records as required by GDPR.

8. Retention Period of Your Personal Information

We retain personal information related to you or your devices for the purposes outlined in this Privacy Policy. When this information is no longer necessary for achieving these purposes, we will delete or anonymize the data, unless legal requirements mandate that we retain it for a longer period, including mandatory retention periods for network logs and online transaction records. When determining the retention period, we consider various factors, such as the type of product or service provided to you, the nature and duration of the relationship between us, the impact of deleting personal information on the services provided, mandatory retention periods specified by law, and statutory limitations. GDPR transparent retention examples for core datasets:
  • Order, payment, invoice & accounting records: 7 full years (global tax & commercial legal requirement);
  • Rai-SKIN AI skin analysis sensitive health data: maximum 12 months post your last mask session (auto-anonymised or purged afterward unless you opt in to extended storage);
  • Smart device connection & operation logs: 90 days auto-retention;
  • Marketing consent records: stored permanently until you submit a consent withdrawal request;
  • Anonymous/de-identified statistical data: unlimited retention (no longer qualifies as personal data under GDPR).

9. Privacy Policy for Minors (GDPR Article 8)

Our website, products, and services are not intended for minors. We do not actively collect personal information from minors. We do not directly offer services to children nor use their personal information for marketing purposes.

9.1 EEA age threshold rule: The minimum age for independent, legally valid consent under GDPR is 16 years old. Any user residing in the EEA aged below 16 cannot create an account or activate AI skin analysis functions unless we receive verifiable written parental/legal guardian consent prior to account setup.

9.2 No targeted marketing, personalised AI tracking or sensitive health data processing will be enabled for minor EEA accounts without validated guardian approval.

9.3 Guardian deletion right: If you are a parent/legal guardian and confirm a minor under your care has submitted personal data to us without your consent, submit verified identity paperwork to service@railia.com and we will erase all minor personal data within 72 hours of validation.

9.4 If we unknowingly collect EEA minor data without valid guardian consent, full data purging will be completed within 72 hours of discovery. For non-EEA minor users outside Europe, local applicable age-of-consent rules apply alongside our internal guardian verification process.

10. Policy Changes

We may revise our Privacy Policy from time to time. We will notify you of any changes through push notifications or other means during login or version updates. For material changes involving business functions, cross-border data transfer or data usage purposes, we will issue prominent notifications via email, SMS or in-app alerts.
GDPR material update rule:
If revisions alter the core purposes, lawful bases, cross-border transfer mechanisms or automated AI decision scope (material GDPR changes), continued usage will not count as acceptance. We will require you to actively re-affirm your consent to the updated policy before you may resume full use of sensitive functions (AI analysis, marketing, cross-border data flows). If you continue using our products and services after non-material minor Policy updates take effect, it means you have fully read, understood, and accepted the updated Privacy Policy and agree to be bound by it.
We recommend that you regularly review this Privacy Policy to stay informed of the latest version. You can view the policy in the APP by going to “My” → “Settings” → “Privacy Policy.”

11. Contact Information

You can contact us through the following methods, and we will respond within 15 business days (aligned to GDPR one-month maximum formal request timeline): (1) If you have any questions, comments, or suggestions about this policy or minor personal information, you can contact us through the "Contact Us" section in the APP for customer support. (2) We have appointed a Personal Information Protection Officer (GDPR DPO), and you can contact them through the following means: Email: service@railia.com (mark subject line: GDPR DPO – [Your Full Name / Account ID]) Company Full Name: GAIN ELITE INTERNATIONAL LIMITED Contact Address: ROOM 605, 6/F, FA YUEN COMMERCIAL BUILDING,75-77 FA YUEN STREET, MONGKOK, KOWLOON, HONGKONG

Annex 1: List of Device Permissions

To ensure the functionality and stable operation of our services, we may request or use relevant operating system permissions. Please be aware that, for the purposes of service functionality and security, we may also use third-party SDKs, which may request or use relevant operating system permissions. During your use of our services, you may interact with H5 pages developed by us or third parties, and these plugins may also request or use relevant operating system permissions as necessary for their business functionality.

Android System Permissions

Permission Name Purpose, Scenario & Explanation
CAMERA This permission is needed when you use interactive features, set up or edit your user avatar, take screenshots for feedback, scan QR codes for network or Bluetooth connection, evaluate orders, or provide after-sales feedback.
WRITE_EXTERNAL_STORAGE, READ_EXTERNAL_STORAGE (Storage for Android 13 and below) This permission is required when using interactive features, editing your avatar, uploading QR codes for network configuration, saving images, or recording and storing videos. It’s also needed for app upgrades and error reporting.
ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION (Location) This permission is needed to provide international dialing code, device country/region info, network configuration, device binding, and location-based services.
INTERNET This permission is needed when using the app to connect devices via Wi-Fi for network configuration and to establish the connection.
BLUETOOTH, BLUETOOTH_ADMIN, BLUETOOTH_SCAN, BLUETOOTH_ADVERTISE, BLUETOOTH_CONNECT (Bluetooth) These permissions are required when connecting devices via Bluetooth for configuration and network connection. Third-party services like Baidu Analytics may also use this permission for accurate statistical analysis.
CHANGE_WIFI_STATE, ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE, CHANGE_NETWORK_STATE, INTERNET (Network State) These permissions are needed to connect the device to Wi-Fi and to ensure network stability. Third-party SDKs like Baidu Analytics may also use these permissions to maintain connection stability. SDKs like Agora (video/audio) use them to monitor network status and connectivity.
VIBRATE This permission is used to provide tactile feedback when you press the "Start Care" button in the app.
REQUEST_INSTALL_PACKAGES This permission is required when the app needs to update itself or install new packages.
com.huawei.android.launcher.permission.CHANGE_BADGE This permission is used if you are using a Huawei device to show the unread message count on the app icon when you receive notifications.
READ_PHONE_STATE This permission is used by third-party SDKs, like Jiguang (Push), to improve user identification and ensure accurate message delivery. Baidu Analytics uses it for device identification. Agora SDK uses it to detect incoming calls and stop audio interactions.
READ_MEDIA_IMAGES, READ_MEDIA_AUDIO, READ_MEDIA_VIDEO, READ_MEDIA_VISUAL_USER_SELECTED (Photos & Videos for Android 13 and above) This permission is needed to read gallery contents for uploading profile images, order reviews, feedback, interactive participation, video recording, and saving images.
POST_NOTIFICATIONS This permission ensures the correct delivery of notifications.
MODIFY_AUDIO_SETTINGS This permission is used by the Android app to modify system-wide audio settings, such as adjusting volume and selecting audio output devices. Agora SDK uses it to adjust audio settings during video/audio calls.
com.google.android.apps.photos.permission.GOOGLE_PHOTOS This permission allows the Android app to access and modify Google Photos settings.
WAKE_LOCK This permission keeps the screen awake and prevents it from locking automatically.
READ_LOGS This permission is used to record logs and troubleshoot issues.

Annex 2 – Third-Party SDK & Data Processor GDPR Full Disclosure

Applicable to GAIN ELITE INTERNATIONAL LIMITED (railia APP) | Compliant with GDPR Article 28 & Transparency Requirements For guaranteeing stable operation of the railia APP and enabling corresponding functions, we integrate third-party Software Development Kits (SDKs) provided by external vendors. Certain integrated third-party SDKs may collect your personal information to deliver designated services to you. We conduct full assessments of each third party’s data collection compliance, legitimacy, proportionality and necessity. We bind all third-party SDK vendors via formal GDPR-compliant Data Processing Agreements (DPAs), mandating they deploy equivalent high-standard data security safeguards and fully abide by global data protection laws, including the EU GDPR.
We may adjust our integrated third-party SDK lineup when expanding service scope, optimising operational stability, upgrading feature modules or carrying out version iterations. We will promptly update this annex to reflect the latest list of data-collecting third-party SDKs. Please note that SDK vendors may adjust their data sharing scope due to version upgrades or internal policy revisions; final binding data processing rules shall be subject to the official privacy policy published by the respective third-party provider.
All vendors listed below act as GDPR Data Processors. They may only process your personal data strictly per our written instructions, are prohibited from unauthorised sub-processing, and are obligated to assist us with data subject rights requests, data breach reporting and compliance audits as required by GDPR.
Third-Party SDK Name Categories of Personal Data Collected Purpose of Collection & Processing Official Third-Party Privacy Policy Link
WeChat Open Platform SDK Android ID, OAID, Wi-Fi name, IP address, WeChat installation status & version (to verify WeChat launch eligibility for payment) WeChat account login, WeChat account binding, content sharing to WeChat, invoking WeChat payment gateway for order checkout transactions https://developers.weixin.qq.com/doc/oplatform/Mobile_App/Access_Guide/Android.html
Sina Weibo Open Platform SDK Full device hardware & software identifiers: device model, unique device IDs (IMEI / Android ID / IDFA / OPENUDID / GUID / OAID), device MAC address, mobile telecom operator details Enabling users to share in-app content to Sina Weibo platform https://weibo.com/signup/v5/privacy
Alibaba Cloud SDK Network status data, general device information Provide APP network security defence, traffic acceleration, domain resolution and cloud infrastructure stability support http://terms.aliyun.com/legal-agreement/terms/suit_bu1_ali_cloud/suit_bu1_ali_cloud201902141711_54837.html?spm=a2c4g.11186623.2.14.3fc811